Yes. But not giving someone else access to your email account seems like the solution here?
I am not sure anyone would knowingly give others access to passwords (nor should they) but that is not to say email accounts can be compromised.
Putting it another way. If you set up a payment to someone you are asked to enter your card pin. To get access to the cards pin in the app you need photo ID and to record a video. So asking for your card pin when trying to send a card to a different address would also seem logical.
Just relying on your phone being secure when in reality you just need a compromised email account to install the app/access on any device seems way too insecure. Especially when the app could be holding thousands now itās a full current account.
Theyād need continued access to your phone in order to activate your card if they did manage to get it sent to their address..
And you wouldnāt be liable any money thatās taken from the account if your card was stolen so Monzo would reimburse you.
Just to jump in here, there are a few more protections than you see but even if someone were to get a debit card sent to an alternative address, they will need both continued access to your app in addition to your card PIN to activate it.
The majority of changes in this release arenāt user-facing ones, but squishing lots of nasty bugs and preparing things in the background for future user-facing updates
The new delivery address flow is a big one for us!
Previously, changing your delivery address required getting in touch with us through in-app support and represented a massive 10% of user queries (I think that statistic was from January rather than all time, but itās historically always represented a large amount of queries). Now this is something users can do themselves!
But that is what I mean they need continued access to your account but that does not have to be on your phone.
I couldnāt remember if card activation was behind the pin or not so that is good
Though app access I still see as a different concern.
It is great this is being automated. One step closer to customers being able to self serve
I think we need to look at risk and proportionate security. Monzo will likely have had to document and agree security provisions with their regulator.
The email point is well made, but applicable to many/most internet services. How many can you regain access to via email? (Not to dismiss it, but we should all take measures to protect ourselves - itās wider than Monzo).
All in, my view is that Monzo is doing the right thing in reducing security friction. I understand that some people have an emotive need for additional security (āit doesnāt feel secureā) - this is valid and might require additional options (like fingerprint auth to get into the app on Android), but I think we should a) trust the Monzo security folk (whoāll know much more about checks we canāt see) and b) secure what we can (including email and access to our devices).
(On that emotive security point, Iād personally feel safer and more in control if there was a web interface to freeze cards / service accounts etc. I think thereās an unemotive need for this too, but thatās another story )
Yeah I understand what you are saying. And I guess if the customer is not liable for any āFraudā it is as much about Monzo protecting themselves as much as the customers perceived protections. So would expect this to evolve as Monzo starts seeing any Fraudulent trends and adapt accordingly.
Coming from a company view of being extremely risk averse you become accustom to security being in place for everything. Whereas Monzo have the unique position to start with less and add more in as appropriate.
Though I do think options being held behind a card pin to be very affective and a frictionless solution as a security measure.
Itās exactly the same as someone hacking your emailā¦ clicking forgotten password and accessing your account that wayā¦ a hacker can get into any of your online accounts with access to your email server in no time at allā¦
Bank, Energy supplier, Council Tax, HMRC anything reallyā¦ unless you have 2 Factory Auth so its as secure as anything else on the internetā¦
Haha, not HMRC. Itās a challenge to the actual user to get into their HMRC account! One of the best Twitter threads ever in my opinion (itās a series of four, well worth reading them all):
https://twitter.com/jbwol/status/957252002584711168
Seriously, though, HMRC requires 2FA.
It is a PITA having 2FA on HMRC. Someone I know got divorced. Their ex has to ring them for a code to get into their HMRC account. They want to change the mobile number that receives the code but HMRC say it is nothing to do with them and to contact your Gov.Verify provider. They have contacted all of them and every one suggests they try contacting a different provider, none will admit to being the one they registered with.
Hey @Frankiejr! Thank you for your feedback. We indeed want the keyboard to be dismissed and weāre sorry this hasnāt been dealt with before. Watch out for a fix coming very soon!
Still havenāt resolved the ājumpā that occurs when you switch from any tab to the Account tab.
Everything jumps up a certain amount of pixels but not the first time.
Once you see it you can never unsee it!
I never noticed that beforeā¦ now its annoying me
I loved the four-asterisk PIN button, so Iām very sad to see it go